[squid-users] Dropbox and GoogleDrive apps won't connect with SSLBump enabled

Rafael Akchurin rafael.akchurin at diladele.com
Tue Sep 1 04:39:00 UTC 2015


The SSL pinning means dropbox application does know the fingerprint of the certificate of the connection out-of-band and will simply refuse to work with another (even trusted one).

It is not possible to change this behaviour without recompiling unless developers of dropbox has some "managed" mode...

See http://docs.diladele.com/faq/squid/dropbox.html

Best regards,
Rafael

Op 1 sep. 2015 om 00:55 heeft Stanford Prescott <stan.prescott at gmail.com<mailto:stan.prescott at gmail.com>> het volgende geschreven:

Yes, SSLBump still works with the web apps, but it would be a lot more convenient if the mobile apps would also work.

Does anyone know how to pin Squid's self-signed certificate's public key to Googledrive and Dropbox so that it would work with SSLBump enabled?

Stan

On Mon, Aug 31, 2015 at 3:29 PM, Yuri Voinov <yvoinov at gmail.com<mailto:yvoinov at gmail.com>> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

BTW, GoogleDrive web application still works with bump. Use it, Luke ;)

01.09.15 2:21, Jason Haar ?????:
> On 01/09/15 02:59, Shane King wrote:
>> Accessing via the browser may work but the sync clients that sit in
>> the system tray use certificate pinning I believe. So if certificate
>> pinning is being used, ssl bumping will not work. You will see an
>> alert message in the pcap followed by a connection termination.
>
> This stopped working for me last week - I suspect there was an update or
> something
>
> Really frustrating: one of the primary reasons I want to do TLS
> intercept is to AV all the viruses published on dropbox!!!
>
> If the Cloud providers go full pinning, the future of TLS Intercept is bleak
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJV5LkrAAoJENNXIZxhPexGH9oH/AyK089Jek7yb/YPB16jAKPJ
LnKgKPQ4r8lu3wm5o4JuOXF6mun79fGVW9dymB5rasTJlHiCHrvXEK4G2KqyRg3B
57TdvHuLhHr+IE0jcpMpk6n/pbdHzYJwkbplTd9HNApw+/LJpfxXVzQZsspJJC58
e12pMXL+i5Dv2vEYLEeySVnDN0mtuBdxD7lxDWFDFDbfBZvoGHEptOQYR3lelEet
xEIds+sNYrjYPK8a9BuiKSK0IqQ5mxhsbUIg4Z7LxyKv3+sTV+aW3HMdKkMoc5t8
bPCHec1eIxU7p9lgyKGn2HXtV1WQ5MAeOuI9YHGqdeSfgCPfT1wYF2imiHC9ez8=
=2wPb
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150901/d4071f06/attachment-0001.html>


More information about the squid-users mailing list